Newbie about MD5

plasmahba

Hello

I am making a database with mySQL with users and passwords and I am not sure if a can create the field of password encrypted with MD5 so if somebody snoops around, won´t get the passwords.

I know that I can create a form to encrypt the pwds but in this case there won´t be a form, I will type them on the database directly.

Is there anyway to do it?

Any help is fully appreciated.

rachel2004

Originally posted by plasmahba
Is there anyway to do it?

Have you considered looking up encryption functions in the MySQL manual? Having just looked at it, I would say you have a lot of options.

http://dev.mysql.com/doc/mysql/en/Encryption_functions.html

Tracer

Actually.. He sould probably Use the Mcrypt functions

Mcrypt

That way if he ever changes backends the PW encryption routines won't need to change....

onion2k

If you're "typing them on the database" as you put it, just MD5 them while you're typing your insert statement.

insert into user (name, passwd) values ('bob',MD5('password'));

Any form of encryption is weak on a server if you're not using the Zend optimiser (or any optimiser). The encryption key is stored as plain text in the code. With a copy of the database and the code the whole lot might as well be plain text. Hashing is considerably better.

daok

MD5, MCRYPT or the mysql encryption? I am now more confused than ever lol

Tracer

But id you choose to use MD5 you will never be able to e-mail the user thier password if they forget it....you would have to assign them a new password, record the md5 hash to the db then email it to them...

Sgarissta

Originally posted by onion2k
If you're "typing them on the database" as you put it, just MD5 them while you're typing your insert statement.
insert into user (name, passwd) values ('bob',MD5('password'));
Any form of encryption is weak on a server if you're not using the Zend optimiser (or any optimiser). The encryption key is stored as plain text in the code. With a copy of the database and the code the whole lot might as well be plain text. Hashing is considerably better. [/B]

And if you're going to go with hashing drop MD5 and go with SHA1 ([man]sha1[/man]).

onion2k

Originally posted by Sgarissta
And if you're going to go with hashing drop MD5 and go with SHA1 ([man]sha1[/man]).

Remind me how you do that in an SQL statement...

Sgarissta

Originally posted by onion2k
Remind me how you do that in an SQL statement...

Remind me how to read the original post as opposed to just the comments...

(this makes twice for the day, i'm going for the record)

BuzzLY

Originally posted by Sgarissta
And if you're going to go with hashing drop MD5 and go with SHA1 ([man]sha1[/man]).

Any chance you could tell us why you think SHA1 is better than MD5?

laserlight

Any chance you could tell us why you think SHA1 is better than MD5?

SHA1 produces a 160 bit hash compared to MD5's 128 bit hash, and supposedly doesnt have certain hash collision problems that MD5 has.

Sgarissta

Originally posted by laserlight
SHA1 produces a 160 bit hash compared to MD5's 128 bit hash, and supposedly doesnt have certain hash collision problems that MD5 has.

What she said 🙂 But yes, it provides a longer hash, and has fewer "theoretical" problems of providing the same hash for two different sets of data.

BuzzLY

True... but for most applications, I'd say md5 is more than sufficient, and md5 is a faster computation.

laserlight

but for most applications, I'd say md5 is more than sufficient, and md5 is a faster computation.

For non-cryptographic use, such as in a checksum that verifies a downloaded file, I would say that MD5 definitely is more than sufficient.

In this case, the hash is being used to obfuscate the original password, so SHA1 should be preferable.